Travel agents: How to book your PCI DSS journey the easy way

Travel agents are being forced to embark on a vital journey — to PCI DSS compliance. But the question is: Do you want a first-class experience or a risky, white-knuckle ride?

As we explained in our recent blog, IATA travel agents need to be compliant with Payment Card Industry Data Security Standards (PCI DSS) in the way they store, process and transmit people's payment card data. The International Air Transport Association (IATA) has set March this year as the deadline — so time is running out fast.

But the journey to PCI DSS compliance isn't obvious: There's a confusing array of suggested routes and seemingly-knowledgeable guides offering to help. So, which is the best approach?

Setting the right course

If we go travelling, there's usually an easy way — or a hard way. We can take a comfortable jet, stay in smart hotels and laze by the pool. Alternatively, we could walk for miles on muddy tracks in tropical rainstorms, sleep in the open and hitch rides on passing carts.

Now the second scenario may seem authentic — and character building — but that's no comfort if the very survival of your business hangs in the balance.

Put simply, the journey to PCI DSS for travel agents can be monumentally tricky if you try to get there under your own steam — even with so-called guides pitching in at various moments. Think about traversing the ice roads of Alaska, the Sichuan-Tibet highway or crocodile-infested swamps — and you get the picture.

Here are five particular hazards that travel agents can encounter if they attempt to achieve PCI DSS compliance for themselves:

Hazard #1: Time, cost and distraction

You’ve probably already locked down processes for handling card payments on the web or via point-of-sale. Now, however it’s time to make sure your payments over the phone are secure, especially when it involves ‘Card-Not-Present’ payments. You must ensure your network and systems are secure, implement strong access controls and maintain a range of policies, tests and monitoring. This can be massively demanding on your resources.

Hazard #2: People perils

PCI DSS is about more than stopping hackers. You can’t assume that the threat of a data breach or fraud is just from outside your organization. Figures show that the majority of fraud happens within the contact center.

Hazard #3: Customers demanding new channels

Your PCI DSS compliance must be flexible enough to allow for growing service level expectations among your customers. There are more instant and convenient channels that include Live Chat payments, Self-Service payments and Apple Pay over the phone.

Hazard #4: Increasing threats

Eckoh’s own research shows that contact centers are using multiple methods to achieve compliance. While this may help them achieve their compliance it doesn’t make it easy for them to maintain it. Multiple systems mean more cost and more time. They also mean that sensitive payment card data remains in your environment – potentially to be misused. For a long time Eckoh has advocated de-scoping of a contact center to avoid the risk.

Hazard #5: Discovering it didn't work

Verizon's 2015 PCI Compliance report found that fewer than one third of companies were still fully compliant less than a year later[1]. Compliance is not a ‘check and forget’ exercise. You need to embed processes and the right culture into every aspect of your organization to make sure you are PCI DSS compliant every minute of every day. Have you considered outsourcing your contact center to de-scope it entirely from PCI DSS scope?

Taking the easy route

The far easier path to PCI DSS compliance is by finding the right PCI DSS partner who can do it all for you. You simply pass the compliance headache to them, while you focus on your core business.

It's a bit like trusting an experienced travel agency with an important trip — someone who knows every inch of the globe and all the issues that make the difference — rather than 'winging it' and hoping for the best.

In fact, it's even possible to prevent sensitive cardholder data from entering your systems altogether, so even though criminals are becoming more clever, if there's no data in your systems there is nothing to steal.

For deeper insight why not download your free copy of our guide to Rising CNP Crime in Contact Centers or our Definitive Guide to PCI DSS compliance. You'll discover everything you wanted to know about secure payments and how they can work for you.

[1] Companies investigated by Verizon's forensics team from 2005-2015 following a breach.

Loading Conversation

Posted by eckoh at 4:51 PM on Jan 22, 2018


Recent Posts

Healthcare identity theft and fraud is a fast-growing threat in the US, but some…

This year is the 40th anniversary of the classic 1978 sci-fi movie Invasion of…


While the US retail industry is reeling from what has been declared by some as…